What to do before and after a cybersecurity breach?

[Pages:16]The Changing Faces of Cybersecurity Governance

WHAT TO DO BEFORE AND AFTER A CYBERSECURITY BREACH?

Written By: Gurpreet Dhillon, Ph.D, Virginia Commonwealth University, Richmond, Virginia, gdhillon@vcu.edu

Previous publications in The Changing Faces of Cybersecurity Governance Series

March 2015 CYBERSECURITY GOVERNANCE: FIVE REASONS YOUR CYBERSECURITY GOVERNANCE STRATEGY MAY BE FLAWED AND HOW TO FIX IT By Peter Iannone & Ayman Omar March 2015 CYBERSECURITY ACT OF 2015 REVIEW: WHAT IT MEANS FOR CYBERSECURITY GOVERNANCE AND ENTERPRISE RISK MANAGEMENT By Joseph J. Panetta & R. Andrew Schroth September 2015 CYBERSECURITY REGULATION AND PRIVATE LITIGATION INVOLVING CORPORATIONS AND THEIR DIRECTORS AND OFFICERS: A LEGAL PERSPECTIVE By Perry E. Wallace, Richard J. Schroth and William H. DeLone September 2015 HOW CAN BOARDS AVOID CYBERSECURITY PAIN? A LEGAL PERSPECTIVE By Perry E. Wallace, Richard J. Schroth and William H. DeLone

The views and opinions expressed in this paper are those of the author and do not necessarily reflect the position or policy of the Kogod Cybersecurity Governance Center (KCGC).

"We have been hacked!" These are the dreaded words no executive wants to hear. Yet this is exactly how the co-chairman of Sony Pictures Entertainment, Amy Pascal's, Monday morning started when the company discovered its entire computer system had been hacked by an organization called Guardians of Peace. This was one of the biggest attacks in 2014. Several others have followed in 2015 and 2016.

Over the past few years the size and magnitude of cybersecurity breaches have increased. The 2014 South Korean breach, where nearly 20 million (40% of the country's population) people were affected, epitomized the seriousness of the problem. More recently a cybersecurity breach was discovered in Ukrainian banks. Carbanak, a malware program, infected the bank's administrative computers. The breach resulted in banks of several countries, including the USA, Russia and Japan getting infected. The seriousness of the problem can be judged from the 2016 Internet Security Threat Report published by Symantec. Nearly half a billion personal records were stolen or lost in 2015 and on an average one new zero-day vulnerability was discovered each week. When a zero-day vulnerability is discovered, it gets added to the toolkit of cyber criminals.

An IBM study concluded that an average data breach costs about 3.52 to 3.79 million US dollars and it keeps rising every year1. It is not just the dollar expense that matters in breach situations. It is very likely that the breach damages the company's reputation, and some smaller unprepared organizations might never recover from a major disaster.

Cybersecurity breaches affect organizations in different ways. Reputational loss and decreased market value have often been cited as significant concerns. Loss of confidential data and compromising competitiveness of a firm can also cause havoc. There is no doubt that preventive mechanisms need to be put in place. However, when an IT security breach does occur, what should be the response strategy? How can the impact of a breach be minimized? What regulatory and compliance aspects should a company be cognizant of? What steps should be taken to avoid a potential attack?

Companies can defend themselves by conducting risk assessments, mitigating against risks that they cannot remove, preparing and implementing a breach response plan, and implementing best practices. Past events have shown that better prepared companies are able to survive an attack and continue their business operations. Experts recommend board of director's involvement in data protection; active participation from senior decision makers can reduce the cost of data breach. There are several other ways managers can prevent, reduce, and mitigate against data breaches.

Reasons for investing in cybersecurity

Increased frequency Greater impact on business continuity Data breach costs have skyrocketed

Anthem

Another one bites the dust

On January 29, 2015, it was discovered that Anthem, Inc, one of the nation's leading health insurers, was the victim of a cyberattack whereby cyberattackers attempted to gain access to personally identifiable information about current and former Anthem members. The hackers began accessing the information in early December 2014 and, during a nearly 7 week window, perpetrators were able to gain access to nearly 80 million records2. Anthem has indicated that not only current members of Anthem were impacted. On its website3, Anthem noted, "In addition, some members of other independent Blue Cross and Blue Shield plans who received healthcare services in any of the areas that Anthem serves may be impacted. In some instances, nonAnthem members and non-Blue Plan members may have been impacted if their employer offered Anthem and non-Anthem health plan options. Anthem is providing identity protection services to all individuals that are impacted." Although Anthem maintains that no credit card or financial information was accessed, the threat to individuals' finances remains. The hackers were able to gain access to names of individuals, health

1

care ID numbers, dates of birth, Social Security numbers, home addresses, email addresses, and employment information. With this data it is easy to create identities and impersonate someone in a variety of settings.

Home Depot

Sheer embarrassment

In the case of Home Depot, in September 2014 the company announced its payment systems were breached which affected nearly 2,200 US and Canadian store locations in a cyberattack that may have started as far back as April 2014. Embarrassingly, Home Depot wasn't aware its payment systems were compromised until banks, and members of the law enforcement community notified the company months after the initial data breach. The Home Depot security breach actually lasted longer than the Target breach, spanning an estimated 4 months resulting in thieves stealing tens of millions of the customer's credit and debit card information. In the six months leading up to 2015, Home Depot processed approximately 750 million customer transactions that presented a treasure trove of information for hackers to focus on.

Sony

Simple blame attribution

Sony faced a cyberattack prior to the expected release of the movie The Interview where hackers released username and passwords for staging and production servers located globally, in addition to the usernames/passwords and RSA SecurID tokens of Sony employees. Sony was forced to "turn-off" its entire computer network infrastructure after it was also discovered the hackers posted information for all of Sony's routers, switches, and administrative usernames and passwords to log on to every server throughout the world. As a result of the Sony attack, an estimated 40% of large corporations now have plans to deal with and address aggressive cybersecurity business disruption attacks. The Sony attack, in which hackers also posted embarrassing work emails of the Sony Pictures executives, has led to more buy-in from C-suite and executive boards across all corporations.

Technicalities of a Breach

Now that the attack has happened and victims are reeling from the unsettling feeling that their personally identifiable information is out there somewhere, the real question is how did all this happen in the first place? To answer that question, we must first analyze the security policy that Anthem had in place at the time of their attack in early December 2014. At the time of the attack there were several media reports4,5, accusing Anthem of inadequate policies for accessing confidential information. The insurer was also faulted for technical evaluation of software upgrades that verified authority of people or entities seeking access to confidential information. In addition to these accusations, the buzzword that surfaced after the attack seemed to be "encryption." Anthem was accused of storing nearly 80 million Social Security numbers without encrypting them. Some would argue that while encryption would make the data more secure, it may also render it less useful.

The root of the issue is not a solitary smoking gun. There are a variety of technical factors that contributed to the inevitability of this security breach, but first and foremost in creating a sound security policy is limiting access. As was mentioned above, Anthem did a very poor job of formulating sound policies for granting access to the various databases and failed to implement adequate measures to ensure unauthorized users who did not have a specific need to access the data were denied access to client data. The secondary issue is the part about encryption; without question, if the data was encrypted, the task of decrypting and making useful information out of the data would have been a significantly more difficult task for the hackers. But let's pretend for a moment that the benefit of using the data in its natural form outweighs the risk of leaving in unencrypted and readily available to hackers in the event of a breach, aren't there other ways of protecting the data? Certainly many companies employ a variety of additional safeguards to protect their data, of which Anthem employed very few. Among these additional safeguards are random passcodes generated on a keyfob that change over a brief period of time, the use of IP based access to remote servers, and the use of random IDs stored

2

in a separate, unlinked database to name a few. Anthem needs to take advantage of the veritable cornucopia of cutting edge security options to cover themselves from a technical vantage point or risk having disaster occur again.

Home Depot had similar issues and problems with their security policy. Once the attackers gained access to one of their vendor environments, they could use the login credentials of a third party vendor to then open the front door. Once on the network, it was easy for the hackers to exploit a known zero-day vulnerability in Windows. The vulnerability allowed the hackers to pivot from the vendor environment to the main Home Depot network. It was then possible to install memory scraping malware on the point of sales terminals. Eventually 56 million credit and debit card data was stolen. The Home Depot vulnerability could have been prevented. While the network environment did have the Symantec Endpoint Protection, the Network Threat Protection feature had not been turned on. While this may not guarantee security, it would have certainly made life more difficult for the hackers. Moreover, the policy seemed to be deficient in terms of a proper vulnerability management program.

Policy Considerations

There are a variety of technical and human factors that contribute to the inevitability of a breach. In a majority of the cases, fingers have been pointed to the technical inadequacy of the enterprise. In the case of Anthem, it was the lack of encryption. For Home Depot, it was the lack of technical controls to prevent malware from collecting customer data. At Target, there was a basic networking segmentation error.

Occasionally we hear issues related to policy violations. In the case of Anthem, the US Department of Health and Human Services may impose a fine of some $1.5 million because of HIPAA violations. In many instances efforts are made to ensure security policy compliance through rewards, punishment or some behavioral change amongst employees. Rarely do we question the efficacy of the policy. Was the policy created properly? Was it implemented adequately?

Were various stakeholders involved? Were there any change management aspects that were considered? These are some fundamental issues that need consideration.

Unfortunately, these questions never get addressed. Security policies keep getting formulated and implemented in a top-down cookie-cutter manner. Organizational emphasis remains on punitive controls. And little attention is given to the content of the policy and how it is related. So, how can organizations ensure that a coherent and a secure strategic posture be developed?

? Security education, training, and awareness programs need to be established and monitored on an ongoing basis

? All constituents are given access to cybersecurity strategic goals, which helps in inculcating ownership and hence compliance

? Various stakeholders should be involved and encouraged to participate in cybersecurity decision-making, which helps with increased compliance.

Reputation and Responsiveness

Reputational damage is significant following a data breach, particularly if a company fails to respond promptly. Following the Anthem, Sony and Home Depot breaches various social media outlets criticized the companies their delayed or inadequate response regarding the breach. In terms of crisis management, a three-day delay is considered significant. Post-crisis communication and a response strategy are essential to ensure that the right message gets through. Transparency in how the breach is being handled has its added importance.

Another well publicized breach was that of JP Morgan, were hackers were able to steal confidential data for nearly 76 million US households. The author and a colleague stated collecting twitter data following the JP Morgan Chase breach in order to undertake a sentiment

3

analysis. Our objective was to assess how how individuals reacted to the breach. 39,416 tweets were collected during the month of October 20146. Analysis of the results suggests that more than half of the tweets expressed negativity. Other significant findings included:

? When a data breach responsibility is attributed to a company, it results in negative emotions, which in turn translates to negative word of mouth and even severing relationships with the enterprise.

? If the negativity related to the breach is high, it results in a quicker spread of the negative word of mouth sentiment (in our case, Twitter posting exhibited a shorter re-tweet time latency).

? The initial security breach responsibility shapes the reputation of the firm. Hence, it is important to frame the message and security breach responsibility since it has a direct reputational impact.

Risk and Resilience

When a data breach occurs, post-crisis communication is perhaps the only opportunity that a company has to repair its reputation. Crisis situations can potentially have many negative consequences, ranging from losing customers, profitability, and market share to declining stock prices and job losses. A much less explored, but very important factor, is the impact of a crisis on organizational reputation. Corporate risk and resiliency planning are important for organizations to be able to bounce back from disruptions and thus retaining stakeholder confidence. Understanding and identifying potential adverse events in computerized networks is important for planning and implementing resilient mechanisms to defend, detect, and remediate from such threats. The risk reduces when organizations implement both resilient technical and socioorganizational mechanisms. There is a need to integrate risk and resilience mechanisms into the organizational culture to prevent security breaches. There are four key characteristics of any risk and resilience approach:

? The approach should provide a holistic framework, which assesses the systems and their interactions ? from a system to the network; from the network to the organization and subsequently the societal impact

? The approach should emphasize capacity to manage the range of hazards.

? There need to be options for dealing with uncertainties, surprises, and any potential changes

? The focus should be on proactive management

Hence a system that effectively reduces risks is going to be more resilient to the security breaches. Risk reduction means a deflection of risk and risk sharing. Also an ability of an organization to prepare for the surprises and effectively responding to the breach incidents characterizes organizational resilience.

Governance

Well-considered governance is at the core of any successful cybersecurity program. Many important aspects require consideration - policy, best practices, ethics, legality, personnel, technical, compliance, auditing, and awareness. Weak governance is often considered to be the cause of organizational crisis. Over the past several decades, we have observed that in institutions where governance was poor or the structures of accountability and responsibility were not clear, they have been susceptible to cybersecurity breaches. For instance, the multi-billion dollar loss experienced by Soci?t? G?n?rale because of violation of internal controls by J?r?me Kerviel. Similarly, the case of Barings Bank where Nick Leeson circumvented established controls. Soci?t? G?n?rale and Barings Bank showcase a lack of governance as the prime reason for the security breaches. Key principles for a sound and robust security governance include:

? Senior leadership commitment to cyber security is essential for good security governance

? Cyber security is considered strategically with due consideration of risk management, policy, compliance and incident handling

4

? Clear lines of communication are established between strategic thinkers and operational staff.

Steps to avoid a potential attack

Managers can take steps today to avoid potential breaches and mitigate damage when breaches occur. There is a vast amount of data from many sources that purports to answer exactly how to prepare for the inevitability of a cyber attack. Because the nature and purpose of every attack is different and the composition of every business is different, there is no single prescription for prevention. However, by boiling down the data from multiple sources, we can derive a list of highlevel practices that all organizations should adopt.

? Executive buy-in

? In order to create an optimal cybersecurity policy, support has to come from the top levels of the organization. Security must become a core part of the organizational culture.

? Fully understand your risk profile

? By knowing your industry and its attack vectors, what is valuable to your organization and how to protect those assets, security personnel can effectively create, support and promote cyber security initiatives.

? Identify and classify different cyberattack scenarios.

? Take threats seriously

? Many organizations understand the full extent of the damage that can be done during an attack as well as the aftermath. However, many companies choose to ignore the possibility of such an attack happening to them, or they are willing to accept the risk of not taking adequate precautions due to cost or complexity.

? Policy Enforcement

? Policies can be as simple as a strong password, but should ideally go well beyond passwords. Security policies should be documented and automated wherever possible to avoid human error or omission. Circling back to Executive Support, policies should be a part of the culture that everyone chooses to follow.

? Keep things in simple terms that non-IT executives and users can understand.

? Training

? Security awareness and policy enforcement is crucial in order to create a security culture within an organization. Awareness of policies, security and other, should be of paramount concern to all organizations.

? There should be specialized training for those that deal with the most sensitive data in the company.

? Employee Screening

? Not all possible employees possess the same moralities as the business owners and stakeholders. Employees should not only be screened to ensure that their skills meet the requirements of the positions but, more importantly, that their beliefs closely match those of the organization.

? Remember that people are often the weakest link in a security chain

? Offline backup of critical data

? Data is the lifeblood of an organization. Data loss is often as damaging, monetary and brand, to an organization as a data breach. Many organizations never fully recover from data loss events, some go out of business entirely. A copy of critical data in a secure offsite location is one small step that should not be overlooked.

? Invest intelligently in security

? Information overload prevents many organizations from making intelligent

5

security decisions. There are a thousand vendors pitching a thousand variants of "best practice" security models. Create a plan based on the needs of the organization and implement policies and tools that augment the plan. Avoid tying your security policy to any vendor's software or hardware. There is no "onesize-fits-all" solution.

? One of the more direct methods for avoiding a security breach is to implement application whitelisting. Application whitelisting can prevent many forms of a breach where the spoofing of an application allows a virus or malware to traverse firewalls and scanners without detection.

? Keep systems updated

? Another direct method for avoiding a breach is simply to apply security patches to software and hardware systems on a prompt and routine schedule. This may appear to most as a "no-brainer" but is often overlooked.

The detailed list above describes concepts that every organization should consider to improve their cyber security preparedness. These concepts can be tailored to fit the individual organization culture and data protection requirements. Regardless of the specifics, every organization should understand the company's security chain. The CEO must enable the Chief Compliance Officer (CCO), the Chief Privacy Officer (CPO), the Chief Information Officer (CIO) and so on, to ensure each understands their role before, during and after an attack. Working together, these individuals

must create and own an enterprise-wide Incident (or Risk) Management Plan, a Data Management program, an Incident Response Plan and communication/reporting plans. Once the above initiatives are in place, more detailed workflows, such as the Continuous Diagnostics and Mitigation (CDM) program from the Department of Homeland Security (DHS), can be adopted. This program utilizes commercial off-the-shelf (COTS) software and hardware to continually monitor for security related events as well as continuously improve upon processes and risk prioritization. A CDM-style framework, see figure 1, also provides a practical model that any organization can adopt and tailor to meet its specific cyber security requirements.

In this day and age managers have to be proactive in preventing an attack. No longer is the question asked if companies will be hacked but rather when they are hacked what will be the protocol. Being vigilant about even the smallest and seemingly insignificant changes can be extremely useful. To protect customers and employees from having their financial or private information stolen, both industry and governments have implemented regulations with the intent of securing against common cyber-attacks. To combat credit card fraud, the Payment Card Industry created the Data Security Standard that requires merchants who process credit cards to take specific measures that help protect against hacking attacks. The European Union, United Kingdom, United States, and Canada are among the governments that have also instituted privacy acts meant to regulate how businesses protect their customer and employee data from malicious hackers. In addition to the fees and legal ramifications that can come as a result of failing to comply with the

1 Install sensors or

mechanisms to collect potential hazards

2 Automatic search at

regular intervals for potential flaws

3 Collect results from

different divisions and/or stakeholder groups

System Scans on a continuous basis

6 Report progress and

continuously improve

6

5 Fix the most critical

issues first and develop a priority list

4 Triage and analyze

results on an ongoing basis

Figure 1, Continuous Diagnosis and Mitigation Framework

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download